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FAQ: APD DECISION ON IAB EUROPE AND TCF - Updated February 2023 


@ eu 


The Belgian Data Protection Authority (APD) handed down on 2 February 2022 a decision 
on IAB Europe and the Transparency & Consent Framework (TCF). The decision identifies 
IAB Europe as a (joint) data controller for the processing of TC Strings (digital signals 
containing user preferences the APD considered to be personal data) as well as for 
subsequent processing of personal data in the context of the TCF. You can read the full 
decision here. 


On 4 March 2022, IAB Europe filed an appeal against the APD decision of February 2022 
before the Market Court (Court of Appeal of Brussels), because it claimed that IAB Europe 
acted in breach of the General Data Protection Regulation (GDPR). On 7 September 2022, 
the Market Court referred preliminary questions to the Court of Justice of the European 
Union (CJEU) and suspended its deliberation on the merits of the case (see “about the 
appeal before the Belgian Market Court and referral to the CJEU’). 


On 1 April 2022, IAB Europe submitted an action plan in line with the orders of the APD 
decision of February 2022, which remained provisionally enforceable pending the appeal 
procedure. Each step described in the action plan is the result of a careful assessment of 
which measures are best suited to meet the APD’s interpretation of the GDPR and deliver 
extended compliance functionality to the TCF. On 11 January 2023, the APD issued a 
decision which informed IAB Europe that it had validated all points of the action plan. The 
deadline for implementing the action plan is 11 July 2023 (see “about the execution of the 
decision and IAB Europe’s action plan’). 
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ABOUT THE APPEAL BEFORE THE BELGIAN MARKET COURT 
AND REFERRAL TO THE CJEU 


Why is IAB Europe appealing the APD decision? 


IAB Europe is appealing the February 2022 decision because it considers it to be wrong both 
in its assessment of the facts and in its legal analysis. The APD fails to justify its position on 
two fundamental issues, namely its claims that the TC Strings involve the processing of 
personal data and that IAB Europe acts as controller in relation to the TC Strings, despite the 
fact that IAB Europe is merely managing the framework, not the technologies implementing 
the framework or the actual processing based on the framework. Beyond these two 
fundamental points, the APD alleged that the TCF in its current form is unfit to provide 
transparency and demonstrate a lawful basis for certain data processing, but did not provide 
any tangible justification for this position; instead, the APD merely carried out a limited 
assessment of the minimum requirements laid down in the TCF Policies and Technical 
Specifications, with no case-by-case investigation of the actual measures taken by TCF 
participants to comply with their own data protection obligations. 


IAB Europe disputes notably the controversial and novel allegation that it acts as a controller 
for the recording of TC Strings (the digital signals containing user preferences about the 
processing of their personal data), and as a joint controller for the dissemination of TC 
Strings and other data processing done by TCF Vendors under the OpenRTB protocol. IAB 
Europe also challenges the APD’s assessments on the validity of legal bases established by 
the TCF, which were done in the abstract, without reference to the particular circumstances 
surrounding any discrete act of data processing. 


What did the Belgian Market Court do in the ruling issued on 7th September? 


The ruling issued on 7th September is an “interim ruling”. In it, the Belgian Market Court 
provided its findings on the procedural arguments raised by IAB Europe in its appeal but 
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asked two questions to the CJEU and suspended its reflection on the substantive arguments 
(i.e. arguments regarding the alleged GDPR infringements) pending answers from the 
CJEU. The questions concern, respectively, (i) whether the TC String — the digital signal 
containing user preferences about the processing of their personal data — constitutes 
personal data under the GDPR and (ii) whether IAB Europe should be considered to be a 
controller for personal data processed under the TCF (both in relation to the TC String and 
even in relation to further processing, for instance targeted online advertising by Publishers 
and Vendors). 


Once the CJEU responds, the Market Court will resume its examination of IAB Europe’s 
other substantive arguments. Notably, in its appeal, IAB Europe also challenged all of the 
APD’s assessments about the validity of legal bases established by the TCF. 


The Market Court has already ruled on the procedural part of the appeal, i.e. the points 
challenging the way the APD handled the enforcement procedure against IAB Europe. The 
Market Court confirmed in the interim ruling, in line with IAB Europe’s arguments, that the 
APD’s February 2022 decision was insufficiently substantiated in relation to the issue of 
whether a TC String is personal data and that the decision failed to meet the relevant 
standard for proper investigation and fact-finding - which will have a bearing on the ultimate 
outcome of the case, irrespective of the CJEU’s answers. 


Why has the Belgian Market Court referred questions to the CJEU? 


In its interim ruling, the Market Court explained that it is not self-evident that IAB Europe 
should be considered as a data controller for the processing of personal data within the TCF 
or that TC Strings should be considered personal data. The Market Court noted that the 
CJEU has not yet had the opportunity to rule on the “new and far-reaching technology” at 
issue in the contested decision. 


IAB Europe had (i) rejected the APD’s allegation that the TC String is personal data for IAB 
Europe, arguing that the Internet user whose choices go into a TC String is not identified or 
identifiable for IAB Europe, and (ii) rejected the APD’s allegation that it is a controller, 
arguing that this reflected an incorrect interpretation of the GDPR and would have grave 
negative implications for standard-setting organisations everywhere. In its final written 
submission to the Market Court, the APD itself suggested a referral to the European Court 
on the second issue, while the complainants in the case themselves suggested a referral on 
both issues. The broad implications of the APD’s sweeping interpretation of the concepts of 
personal data and controllership made a referral to the CJEU a logical next step. 


How long will it take for the CJEU to rule on the preliminary questions? 


The procedure before the CJEU started on 28 October 2022, and IAB Europe submitted its 
written observations on 6 January 2023. We expect the CJEU to take between twelve and 
eighteen months to hand down its judgement. Once the judgement has been delivered, the 
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Belgian Market Court will be able to conclude its deliberations on the substantive issues 
raised in IAB Europe’s appeal of the APD’s decision of February 2022. 


ABOUT THE EXECUTION OF THE DECISION AND IAB 
EUROPE’S ACTION PLAN 


Why did IAB Europe submit an action plan to the APD? 


The APD decision of February 2022 remains provisionally enforceable pending the outcome 
of the appeal proceedings. For this reason, on 1 April 2022, IAB Europe submitted to the 
APD the action plan required by the decision. 


Each step described in the action plan is the result of a careful assessment of which 
measures are best suited to meet the APD’s interpretation of the GDPR (as laid out by the 
APD in February 2022) and deliver extended compliance functionality to the TCF. It reflects a 
collaborative effort and in-depth discussions amongst IAB Europe member companies and 
associations, which convene in the TCF working groups to iterate the TCF, to meet the 
expectations of the APD. 


Why did the APD validate the action plan ? 


When IAB Europe initially asked that enforcement of the APD decision of February 2022 be 
put on hold until a final ruling by the Market Court on the merits of the appeal, the APD 
committed to wait until after September 2022 before validating the action plan, date by which 
the Market Court was expected to have issued a final ruling on the appeal. 


However, following the Market Court’s interim ruling, through which it referred questions to 
the CJEU, the APD informed IAB Europe that it intended to further examine the action plan 
without waiting for the end of the appeal proceedings. 


While the action plan could have served as a basis for discussion with IAB Europe on how 
best to deliver extended functionality to the TCF pending the procedure before the CJEU, 
the APD decided to formally validate all points of the action plan on 11 January 2023 - 
preempting responses from the CJEU on the core issues of what is “personal data” and who 
can be viewed as a “controller”. 


It is unclear why the APD decided to move forward with the validation of the action plan 
instead of engaging in a dialogue with IAB Europe to seek evolutions to the TCF, as the 
CJEU will not have rendered its judgement by the end of the six-month deadline to 
implement the plan. 
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Why is IAB Europe appealing the APD decision to validate its action plan and seeking 
interim measures? 


The measures proposed in the action plan stem directly from the assumption that (i) the TC 
String (a digital signal containing user preferences) should be considered personal data and 
that (ii) IAB Europe acts as a (joint) controller for the dissemination of TC Strings and other 
data processing done by TCF participants. Both of these assumptions have been referred to 
the Court of Justice of the European Union (CJEU) by the Belgian Market Court for a 
preliminary ruling. 


The challenge filed by IAB Europe in response to the APD’s decision to validate the action 
plan is therefore intended to prevent the APD from preempting the CJEU’s response. This 
way, the APD can be prevented from enforcing implementation of changes to the TCF that 
may need to be rolled back when the CJEU’s ruling is rendered, if the CJEU agrees with IAB 
Europe’s arguments. This formal challenge turned out to be indispensable as the APD has 
not shown any clear willingness to engage in dialogue with IAB Europe following its decision 
of January 2023, and seems unlikely to provide guidance between now and 11th July 2023. 


What does the validation of the action plan mean for the TCF? 


The validation of the action plan confirms the legal functionality of the Transparency and 
Consent Framework (TCF) within the provisions of the General Data Protection Regulation 
(GDPR). While IAB Europe is pleased that the action plan was favourably received by the 
APD, it has grave reservations about the APD preempting responses from the CJEU. The 
APD’s approach regarding the action plan would in practice require implementation of 
changes to the TCF that might need to be rolled back at the end of the appeal proceedings. 


What does the action plan cover? 


The action plan outlines how IAB Europe, in its capacity as Managing Organisation of the 
TCF, will deliver on the formal orders laid down in the decision and has been broken down 
into six separate sections: 


1. Deletion of “global-scoped” TC Strings: Although support for the “global-scope” 
functionality has been removed in June 2021 from the TCF policies due to the overall 
negligible use of global scope by Publishers and due to an indication by several data 
protection authorities that users should be clearly informed of the digital properties where 
their choices apply, IAB will revoke previously delegated subdomains of consensu.org 
([cmp-name].mgr.consensu.org) at the end of the implementation period to mitigate any 
remaining theoretical risk of CMPs writing ‘euconsent-v2’ cookies associated with the 
consensu.org subdomains (see the notification here). 

2. Establishing of a legal basis for the processing of TC Strings by IAB Europe. Because the 
APD considered that the TC String is personal data, and that IAB Europe acts as a (joint) 
controller for its processing and subsequent data processing, the action plan includes new 
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standard disclosures that aims to inform users adequately about the (alleged) processing of 
personal data by IAB Europe. 

3. Restrictions over the reliance on legitimate interest as a legal ground by Vendors. The 
APD concluded that legitimate interest was inadequate for purposes that entail targeted 
advertising or profiling of users. The action plan therefore introduces specific restrictions and 
additional transparency requirements applicable to participating Vendors that rely on such 
legal basis for certain data processing operations. 

4. Additional transparency for end-users over the processing of their personal data. In line 
with the APD’s expectations that users should be informed in a clear yet concise manner, the 
action plan proposes to further improve the standard user-facing disclosures supported by 
the TCF, and supplement them with additional information that was not yet standardised 
such as the categories of data susceptible to be collected and processed, data retention 
periods etc. 

5. Technical and organisational measures to ensure the integrity of TC Strings. Because the 
APD wished to see stronger auditing and monitoring by IAB Europe, a number of actions will 
be taken by IAB Europe, following the same principles applicable to monitoring bodies in the 
context of GDPR Codes of Conduct and expanding the existing TCF Compliance 
Programmes. 

6. IAB Europe’s own internal compliance. This consists of measures that relate solely to the 
qualification of IAB Europe as a (joint) data controller and do not influence the TCF itself as a 
framework, such as designating a data protection officer (DPO). 


What is the impact of the action plan for TCF participants ? 


Because the TCF is a framework, not a set of technologies, some of the actions will require 
implementation at a technological level by TCF participants such as CMPs and Vendors. The 
measures proposed in the action plan have therefore been chosen in part because they can 
be delivered according to the aggressive 6-month timeline for implementation. 


What is the deadline for implementation ? 


The deadline for implementation is 11 July 2023. However, IAB Europe filed an appeal 
against the APD’s decision of January 2023 to validate the action plan in order to prevent the 
APD from preempting the CJEU’s responses. This way, the APD can be prevented from 
enforcing implementation of changes to the TCF that may need to be rolled back when the 
CJEU’s ruling is rendered, if the CJEU agrees with IAB Europe’s arguments. In the event 
where the APD’s validation decision of January 2023 is overturned and the deadline ceases 
to apply, IAB Europe will still move forward with certain iterations to the TCF that were 
included in the action plan, as well as additional measures that cannot reasonably be 
contemplated in the allotted time. 


Has the action plan been examined by other data protection authorities as well? 


In accordance with Article 60 (10) GDPR, as further interpreted by the European Data 
Protection Board in para. 249 of its Guidelines 02/2022, the APD is required to inform the 


IAB Europe 


europe 


jabeurope.eu 


lab: 


other concerned authorities (i.e. the data protection authorities that the APD consulted under 
the cooperation procedure prior to finalising its February 2022 decision) of any “measures 
taken for complying with the [APD’s] decision”, such as the action plan and the actual 
implementation thereof, notably to ensure the consistent application of the GDPR across the 
EU. It is IAB Europe’s understanding that interactions with other data protection authorities 
took place in practice during the APD’s assessment of the action plan. 


ABOUT THE TCF 


What is the TCF ? 


The TCF is an accountability tool that relies on standardisation to facilitate compliance with 
certain provisions of the ePrivacy Directive and the GDPR. It applies principles and 
requirements derived from these two legislative instruments to the specific context of the 
digital industry, taking account of relevant EU-level guidance from the European Data 
Protection Board (EDPB) and national level guidance from Supervisory Authorities. 


The TCF is intended for use by three categories of stakeholders and is not limited to IAB 
Europe’s members: 


1) Publishers: owners or operators of online content or services where personal data is 
collected and used by third-party companies (Vendors) for digital advertising, 
audience measurement, or content personalisation. For the most part these 
publishers are ad-supported content creators or service providers. 

2) Vendors: third-party companies that do not ordinarily have direct access to end-users 
of Publishers. Vendors can be Ad servers, measurement providers, advertising 
agencies, DSPs, SSPs, and more. Vendors can register to the TCF. 

3) CMPs (Consent Management Providers): software or solution providers that develop 
notices (e.g. cookie banners) to inform users and capture their preferences with 
respect to the processing of their personal data. 


How does the TCF work ? 


(i) Standardisation of the information that should be provided to users about Vendors 


Vendors can register to the TCF as a way of providing and maintaining detailed information 
that should be disclosed to users under Article 13 GDPR. 


This includes their identity, the link to their privacy policies, the duration of the cookies they 
may rely on, whether they use non-cookie methods for accessing users’ devices (e.g. mobile 
identifiers), and the data processing purposes they pursue and associated legal bases. 
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Rather than use free text fields for Vendors to declare their data processing purposes - 
which would result in multiple terminologies for similar processing activities - the TCF 
proposes a “purposes taxonomy”. This “taxonomy” is a menu of commonly pursued 
purposes in the online space expressed in a harmonised terminology, and includes purpose 
names such as audience measurement, fraud prevention, contextual advertising and 
personalised advertising. Vendors select those that are relevant to them when they register. 
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Once a Vendor is registered, all the information will be included in the “Global Vendor List” 
(GVL), a publicly available and machine-readable registry hosted by IAB Europe (here). 


The GVL serves as a central and up-to-date information repository available to Publishers 
and their CMP when they (i) select Vendors they work with; (ii) disclose information and 
provide choices to users about the third parties Vendors they selected. For Vendors that are 
not registered, Publishers and their CMP will gather the same information on a case-by-case 
basis. 


This is further complemented by dedicated minimum practical requirements for Uls that stem 
from guidelines of data protection authorities and jurisprudence. The practical requirements 
for user interfaces (“Uls”) align with the “layered approach” recommended by the EDPB and 
define specific requirements for the first layer of the CMP UI (the “cookie banner’) and the 
secondary layers of the CMP UI (the configuration Uls) (e.g. presenting consent choices as 
“off” by default (e.g. via unchecked boxes), disclosing the maximum duration of cookies 
susceptible to be set on users’ devices or information about the how consent can be 
withdrawn at any time). 


In addition, the TCF requires that the UI contains a link to the more detailed privacy policy of 
the Vendors. 


(ii) Standardisation of how users’ choices should be captured 


The TCF standard set out an open-source binary format for CMPs to capture users’ choices 
in the form of a “TC String’. This consists of a manual explaining how to create a 
machine-readable string of 1 and 0 representing users’ choices in the abstract. 


According to the TCF standard, the format for the TC String captures the following 
information’: 

1. General metadata: standard markers that indicate details about the Publisher’s 
implementation of the TCF (e.g. the language of the Uls) and a day-level timestamp 
of when users have made/updated their choices. 

2. User’s consent per purpose and per Vendor when the legal basis is Consent (“1” 
meaning user’s consent and “0” meaning users’ refusal or withdrawal of consent) 


‘See: https://github.com/InteractiveA dvertising Bureau/GDPR-Transparency-and-Consent-Framework/blob/maste 
/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor™20list%o20formats%20v2.md 
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3. User’s right-to-object per purpose and per Vendor when the legal basis is Legitimate 
interest (“1” meaning the user was informed and “0” meaning users’ objection to 
processing) 

4. Publisher restrictions: metadata specific to the Publisher’s implementation of the 
TCF, e.g. indicating a general prohibition for certain Vendors to pursue a given data 
processing purposes. 

5. Users’ choices for purposes that are not in the TCF taxonomy or for Vendors that are 
not registered (“1” meaning user’s agreement and “0” no agreement). 
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Once users’ choices have been captured in the form of a TC String, the storage mechanism 
used to save it (so that it can be retrieved later on) is decided by the CMPs or the Publisher. 
In practice, many use first-party cookies or local storage. Some for instance use a cookie 
that they name “euconsent-v2”, but the TCF leaves it up to the CMP or Publisher to choose 
which technology (and which label or name) to use (see also below, regarding the 
deprecation of the “global-scope functionality’). 


(iii) Standardisation of how users’ choices should be communicated and respected 


The TCF provides possible mechanisms for Publishers and their CMPs to communicate 
users’ choices to Vendors. This communication is required for two reasons. First, Vendors 
must know that the users consented or did not object to its processing of personal data for 
the purposes it selected. Second, the Vendor must also be able to exercise the users’ 
withdrawal of consent or objections for the purposes it selected. 


For the web environment (websites), it includes a specification for CMPs to develop their 
own proprietary APIs that rely on the same naming conventions (e.g. specific commands or 
functions that will have the same name). This enables Vendors to use the same code to 
retrieve TC Strings or part of TC Strings across multiple websites that use the TCF - rather 
than develop different codes for each website. 


For the mobile app environment (mobile applications), the same naming conventions are 
replicated so that Vendors can use the same code to retrieve TC Strings or part of TC 
Strings across multiple applications. 


Again, this is further complemented with minimum practical requirements for technical 
operations performed by TCF users to ensure users’ choices are respected - such as not 
setting a specific cookie when users have refused or withdrawn consent, or not forwarding 
any personal data to another Vendor that failed to establish a legal basis for its processing. 


What was the “global-scope” functionality ? 


Earlier versions of the TCF provided Publishers with the optional functionality for users’ 
choices to be applicable across multiple websites, rather than on a single website. This 
optional functionality was initially introduced with the aim to reduce so-called “consent 
fatigue”, as it reduced the need to solicit users’ consent on each of the websites they visited. 
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To enable this functionality, IAB Europe registered the consensu.org domain, and delegated 
a subdomain of consensu.org to each registered CMP. This allowed each CMP to store the 
TC String in a third-party cookie associated with the consensu.org domain rather than in a 
first-party cookie, in order to retrieve it across websites. Subdomain delegations enabled 
CMPs to write and read “global-scoped” TC Strings from their own servers, and the 
requirement to use a common nomenclature and to label the third-party cookie used to store 
TC Strings “euconsent-v2” only applied for this global-scope functionality. 
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In practice, there was very little uptake of this optional functionality in particular following 
publications of guidelines by certain data protection authorities that users should be clearly 
informed of the digital properties where their choices apply. As a result, it was deprecated on 
22 June 2021 (see notification here). 


Why can the TCF evolve into a GDPR Code of Conduct ? 


In accordance with GDPR Article 40(2) IAB Europe is an association representing the 
categories of controllers or processors that can use the TCF (IAB Europe’s membership 
comprises national associations, advertisers, agencies, technical intermediaries and 
publishers). 


The TCF has been created in consultation with a broad range of industry stakeholders, using 
a set of structures such as working groups that evolved over time to enlist the direct 
participation of companies and industry associations. Various data protection authorities 
have also been asked for input, which has notably resulted in the evolution of the TCF to a 
version 2.0 and other iterations. 


The result of this broad consultation is a set of voluntary rules (the TCF Policy) and 
underlying open-source implementation guidelines (the TCF technical specifications) that 
assist companies with data protection compliance and accountability in the online sector, in 
particular for informing and providing choices to end-users about data that is being collected, 
the intended purposes of processing, and for communicating and observing those choices. 


Since 2019, the TCF has developed dedicated mechanisms to ensure compliance of 
participating companies with the TCF Policy they voluntarily undertook to observe - with the 
objective of building a monitoring body that will ensure the proper application of the TCF by 
participants (see below the TCF compliance programmes). 


What are the TCF Compliance Programmes? 


The description of the TCF compliance programmes is available publicly (here for CMPs and 
here for Vendors). 


IAB Europe developed a web browser extension called “CMP Validator’, a tool that helps 
CMPs and Publishers check their compliance with the Technical Specifications and Policy on 
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any website. The tool automatically runs technical and policy checks to ensure that the CMP 
Uls align with the minimum requirements of the TCF and that the expression of users’ 
choices is captured correctly. This tool is also used by IAB Europe to verify that the software 
solutions of TCF-registered CMPs operate according to the requirements of the TCF Policy. 


To perform the auditing of both CMPs and Vendors on a large scale, IAB Europe relies on a 
web crawler (a computer program/Internet bot that browses webpages methodically and 
interacts with Uls available on websites to replicate the behavior of real users), 
supplemented by manual testing where necessary. This allows IAB Europe to assess in an 
automated manner if the information that needs to be disclosed to users is indeed accessible 
in CMP Uls, if the TC String created by the CMP matches the random choices made by the 
computer program, and to verify whether the Internet bot’s choices are respected by 
Vendors (e.g. by not the setting cookies or collecting identifiers if they are not allowed to). 
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